Siemens is warning customers of a new and highly sophisticated virus that targets the computers used to manage large-scale industrial control systems used by manufacturing and utility companies.

Siemens learned about the issue on July 14, Siemens Industry spokesman Michael Krampe said in an e-mail message Friday. "The company immediately assembled a team of experts to evaluate the situation. Siemens is taking all precautions to alert its customers to the potential risks of this virus," he said.

Security experts believe the virus appears to be the kind of threat they have worried about for years -- malicious software designed to infiltrate the systems used to run factories and parts of the critical infrastructure.

Some have worried that this type of virus could be used to take control of those systems, to disrupt operations or trigger a major accident, but experts say an early analysis of the code suggests it was probably designed to steal secrets from manufacturing plants and other industrial facilities.

"This has all the hallmarks of weaponized software, probably for espionage," said Jake Brodsky, an IT worker with a large utility, who asked that his company not be identified because he was not authorized to speak on its behalf.

Other industrial systems security experts agreed, saying the malicious software was written by a sophisticated and determined attacker. The software does not exploit a bug in the Siemens system to get onto a PC, but instead uses a previously undisclosed Windows bug to break into the system.

The virus targets Siemens management software called Simatic WinCC, which runs on the Windows operating system.

"Siemens is reaching out to its sales team and will also speak directly to its customers to explain the circumstances," Krampe said. "We are urging customers to carry out an active check of their computer systems with WinCC installations and use updated versions of antivirus software in addition to remaining vigilant about IT security in their production environments."

Late Friday, Microsoft issued a security advisory warning of the issue, saying it affects all versions of Windows, including its latest Windows 7 operating system: http://www.microsoft.com/technet/security/advisory/2286198.mspxThe company has seen the bug exploited only in limited, targeted attacks, Microsoft said.

The systems that run the Siemens software, called SCADA (supervisory control and data acquisition) systems, are typically not connected to the Internet for security reasons, but this virus spreads when an infected USB stick is inserted into a computer.

Once the USB device is plugged into the PC, the virus scans for a Siemens WinCC system or another USB device, according to Frank Boldewin, a security analyst with German IT service provider GAD, who has studied the code. It copies itself to any USB device it finds, but if it detects the Siemens software, it immediately tries to log in using a default password. Otherwise it does nothing, he said in an e-mail interview.

That technique may work, because SCADA systems are often badly configured, with default passwords unchanged, Boldewin said.

To get around Windows systems that require digital signatures -- a common practice in SCADA environments -- the virus uses a digital signature assigned to semiconductor maker Realtek. The virus is triggered anytime a victim tries to view the contents of the USB stick. A technical description of the virus can be found here (pdf): http://www.wilderssecurity.com/attachment.php?attachmentid=219888&d=1279012965

It's unclear how the authors of the virus were able to sign their code with Realtek's digital signature, but it may indicate that Realtek's encryption key has been compromised. The Taiwanese semiconductor maker could not be reached for comment Friday.

In many ways, the virus mimics proof-of-concept attacks that security researchers like Wesley McGrew have been developing in laboratories for years. The systems it targets are attractive to attackers because they can provide a treasure-trove of information about the factory or utility where they're used.

Whoever wrote the virus software may have been targeting a specific installation, said McGrew, founder of McGrew Security and a researcher at Mississippi State University. If the authors had wanted to break into as many computers as possible, rather than a specific target, they would have tried to exploit more popular SCADA management systems such as Wonderware or RSLogix, he said.

According to experts there are several reasons why someone might want to break a SCADA system "There may be money in it," McGrew said. "Maybe you take over a SCADA system and you hold it hostage for money."

Criminals could use the information from a manufacturer's WinCC system to learn how to counterfeit products, said Eric Byres, chief technology officer with security consultancy Byres Security. "This looks like a grade A case of focused IP-harvesting," he said. "This looks focused and real."

Here is one Important info. about this case:Siemens Recommend Don't Change Passwords

Although a newly discovered worm could allow criminals to break into Siemens' industrial automation systems using a default password, Siemens is telling customers to leave their passwords alone.

That's because changing the password could disrupt the Siemens system, potentially throwing large-scale industrial systems that it manages into disarray. "We will be publishing customer guidance shortly, but it won't include advice to change default settings as that could impact plant operations," said Siemens Industry spokesman Michael Krampe in an e-mail message Monday.

The company plans to launch a website late Monday that will provide more details on the first-ever malicious code to target the company's SCADA (supervisory control and data acquisition) products, he said. The Siemens WinCC systems targeted by the worm are used to manage industrial machines in operation worldwide to build products, mix food, run power plants and manufacture chemicals.

Siemens is scrambling to respond to the problem as the Stuxnet worm -- first reported late last week -- starts to spread around the world. Symantec is now logging about 9,000 attempted infections per day, according to Gerry Egan, a director with Symantec Security Response.

The worm spreads via USB sticks, CDs or networked file-sharing computers, taking advantage of a new and currently unpatched flaw in Microsoft's Windows operating system. But unless it finds the Siemens WinCC software on the computer, it simply copies itself wherever it can and goes silent.

Because SCADA systems are part of the critical infrastructure, security experts have worried that they may someday be subject to a devastating attack, but in this case the point of the worm appears to be information theft.

If Stuxnet does discover a Siemens SCADA system, it immediately uses the default password to start looking for project files, which it then tries to copy to an external website, Egan said.

By stealing a plant's SCADA secrets, counterfeiters could learn the manufacturing tricks needed to build a company's products, he said.

Byres' company has been flooded with calls from worried Siemens customers trying to figure out how to stay ahead of the worm.

US-CERT has put out an advisory (ICS-ALERT-10-196-01) for the worm, but the information is not publicly available. According to Byres, however, changing the WinCC password would prevent critical components of the system from interacting with the WinCC system that manages them. "My guess is you would basically disable your whole system if you disable the whole password."

That leaves Siemens customers in a tough spot.

They can, however, make changes so that their computers will no longer display the .lnk files used by the worm to spread from system to system. And they can also disable the Windows WebClient service that allows the worm to spread on a local area network. Late Friday, Microsoft released a security advisory explaining how to do this: http://www.microsoft.com/technet/security/advisory/2286198.mspx

"Siemens has started to develop a solution, which can identify and systematically remove the malware," Siemens' Krampe said. He didn't say when the software would be available.

The Siemens system was designed "assuming that nobody would ever get into those passwords," Byres said. "It's an assumption that nobody will ever try very hard against you."

The default username and passwords used by the worm's writers have been publicly known since they were posted to the Web in 2008, Byres said.

Siemens release a new tool that finds and removes the malicious software along with a full-fledged security update for its SCADA (supervisory control and data acquisition) management products.

Siemens on Thursday released the update along with the tool, developed by security vendor TrendMicro. But in a note sent to customers, the company warned users to check with customer support before removing the software from an infected SCADA system. "As each plant is individually configured, we cannot rule out the possibility that removing the virus may affect your plant in some way," the note reads.

The worm was identified by security vendor VirusBlokAda last month. So far, it has been identified on only one system running Siemens' software -- an engineering computer used by an unnamed German organization. "A production plant has not been affected so far," Siemens said.

Called Stuxnet, the worm is the first publicly identified piece of malware to target SCADA computers, which are used to control things such as manufacturing plants and utility systems. The worm copies itself to other USB systems on the computer and scans for Siemens Simatic WinCC or PCS 7 software. If it finds one of these programs, it tries to upload data from the systems to the Internet.

Siemens doesn't know who built the worm, but is investigating and plans to pursue the matter to the "full extent of the law," the company said on its website.

Looking at the dates on digital signatures generated by the worm, the malicious software may have been in circulation since as long ago as January, said Elias Levy, senior technical director with Symantec Security Response.

Stuxnet was discovered last month by VirusBlokAda, a Belarus-based antivirus company that said it found the software on a system belonging to an Iranian customer. The worm seeks out Siemens SCADA (supervisory control and data acquisition) management systems, used in large manufacturing and utility plants, and tries to upload industrial secrets to the Internet.

Symantec isn't sure why Iran and the other countries are reporting so many infections. "The most we can say is whoever developed these particular threats was targeting companies in those geographic areas," Levy said.

The U.S. has a long-running trade embargo against Iran. "Although Iran is probably one of the countries that has the worst infections of this, they are also probably a place where they don't have much AV right now," Levy said.

Siemens wouldn't say how many customers it has in Iran, but the company now says that two German companies have been infected by the virus. A free virus scanner posted by Siemens earlier this week has been downloaded 1,500 times, a company spokesman said.

Earlier this year, Siemens said it planned to wind down its Iranian business -- a 290-employee unit that netted €438 million (US$562.9 million) in 2008, according to the Wall Street Journal: http://online.wsj.com/article/SB123379548035950207.htmlCritics say the company's trade there has helped feed Iran's nuclear development effort.

Symantec compiled its data by working with the industry and redirecting traffic aimed at the worm's command and control servers to its own computers. Over a three-day period this week, computers located at 14,000 IP addresses tried to connect with the command and control servers, indicating that a very small number of PCs worldwide have been hit by the worm. The actual number of infected machines is probably in the 15,000 to 20,000 range, because many companies place several systems behind one IP address, according to Symantec's Levy.

Because Symantec can see the IP address used by machines that try to connect with the command and control servers, it can tell which companies have been infected. "Not surprisingly, infected machines include a variety of organizations that would use SCADA software and systems, which is clearly the target of the attackers," the company said in its blog post Thursday.

Stuxnet spreads via USB devices. When an infected USB stick is viewed on a Windows machine, the code looks for a Siemens system and copies itself to any other USB devices it can find.